Rubrik Cloud Data Management
search cancel

Rubrik Cloud Data Management


Article ID: 327960


Updated On:




This article provides information on the availability of Rubrik Cloud Data Management (CDM) 5.3 as a solution for protecting VMware Cloud workloads running in VMware Cloud on AWS and VMware Cloud on Dell EMC.
Disclaimer:  The partner solution referenced in this article is a solution that is developed and supported by a partner. The use of this product is also governed by the end-user license agreement of the partner. You must obtain from the partner the application, support, and licensing for using this product. For more information, see Rubrik Support.
Here is a summary of target use cases, solution architecture, solution components, and support information.
Use Cases

VMware Cloud on AWS

For Virtual Machines running on VMware Cloud on AWS environments, Rubrik Cloud Data Management enables a policy driven approach to data protection delivering:
  • Backup and recovery
  • Off-site replication and disaster recovery
  • Data archival
  • Search & analytics
  • Test & development workflows
Use cases that are not supported on VMware Cloud on AWS
  • Live Mount / Instant Recovery
  • Continuous Data Protection
Solution Architecture
Rubrik Cloud Data Management is a software-defined platform that unifies backup, recovery, replication, search, analytics, archival, compliance, and copies data management in one secure fabric across the data center and cloud. To protect Virtual Machines running on VMware Cloud on AWS environments, Rubrik’s Cloud Data Management software is deployed to the AWS VPC attached to the customer’s VMware Cloud on AWS SDDC. Once the deployment is complete, customers simply define declarative protection policies (data backup, archival, and replication) based on their data governance needs and assign them to VMs, clusters, folders, or via tag rules.


Solution Components
Rubrik CDM is deployed as a purpose built appliance so no separate software installation is necessary. The deployment process for protecting VMware Cloud on AWS workloads consists of launching a cluster of M5.4xlarge EC2 instances, known as a Cloud Cluster, from the AWS Marketplace into the VPC attached to the protected SDDC. These instances can be deployed directly from the AWS Marketplace, via the Amazon EC2 console, or by utilizing an AWS CloudFormation template provided by Rubrik. Once these instances are deployed and the cluster is initialized, the customer simply adds their SDDC to Rubrik CDM, then begins creating and assigning SLA Domain Policies as required via Rubrik’s management user interface.
Rubrik clusters use the vSphere Storage APIs – Data Protection (VADP) and the Virtual Disk Development Kit (VDDK) to integrate with vSphere to deliver highly efficient virtual machine image level data protection and recovery. When protecting VMware Cloud on AWS workloads, Rubrik CDM leverages the hotadd transport mode for data transmission to and from the Rubrik CDM cluster. The proxies required to support this transport mode are automatically provisioned, monitored, scaled, and deprovisioned by Rubrik CDM. The customer needs only to provide the network segment(s) in which they will run when adding the SDDC. In addition to protecting your virtual environment, Rubrik can also protect file shares, databases, and public cloud workloads.
For more information on product deployment, interoperability, or compatibility with VMware products, see
Operational Overview
The following activities are typical for an enterprise customer deploying Rubrik CDM to protect VMware Cloud on AWS workloads.

VMware Cloud on AWS Network configuration
Below is a recommended list of rules for use in the AWS Security Group applied to the Rubrik Cloud Cluster running in the connected AWS VPC:
Suggested Cloud Cluster Security Group Rules
DirectionSource / DestinationServicePurpose
Inbound<SG ID of this SG>AllIntra-cluster communication
InboundManagement SG or CIDRTCP 22Cluster Admin CLI
InboundManagement SG or CIDRTCP 443Cluster Admin UI
OutboundHotAdd Proxy CIDRTCP 58000Proxy Control
OutboundvCenter IPTCP 7444vCenter SSO
OutboundvCenter IPTCP 443vCenter API
OutboundESXi CIDRTCP 443vSphere API
OutboundProtected vSphere VM CIDRTCP 12800-12801Rubrik Backup Service

Additionally, consider whitelisting TCP 443 outbound globally in order to facilitate log bundle collection, support tunnel access, CloudOut, etc. If specific IP ranges are required, please contact Rubrik support.
Similarly, the AWS Compute and Management gateway firewalls will need to be configured to allow the following traffic flows. The distributed firewall should also be configured to allow this traffic flows, as should any 3rd party network devices in the data path.
Suggested Compute Gateway Rules
SourceDestinationServiceApplied ToPurpose
Connected VPCProxy Network SegmentTCP 58000VPC InterfaceProxy Control
Connected VPCProtected VM Segment(s)TCP 12800-12801VPC InterfaceRBS File Restore
Suggested Management Gateway Rules
Connected VPCvCenterTCP 7444vCenter SSO
Connected VPCvCenterTCP 443vCenter API
Connected VPCESXiTCP 443vSphere API
Proxy Network SegmentvCenterTCP 7444vCenter SSO
Proxy Network SegmentvCenterTCP 443vCenter API
Proxy Network SegmentESXiTCP 902vSphere API

The diagram below depicts a typical deployment scenario where a customer is protecting their SDDC utilizing a Rubrik Cloud Cluster in the attached AWS VPC.

Initial Setup and Configuration
Once the Cloud Cluster has been deployed, and bootstrapped, it is ready to use. The customer simply adds their SDDC as a vCenter Server within Rubrik CDM using an account assigned the built-in cloudadmin role. Rubrik will detect the SDDC, prompt the user for credentials, and then prompt the user to select a network segment for proxy deployment as well as their preference for DHCP or static proxy IP assignment. Once complete, Rubrik will automatically begin deploying hotadd proxies as required to the SDDC’s vSphere cluster(s) and will iterate the discovered VMs and other assets into the Rubrik console, ready for protection. You can begin interacting with the newly discovered VMs by using the No SLA link on the main dashboard.

SLA Domain Policies
Rubrik’s SLA Domains simplify data protection by abstracting the desired RPO, RTO, Availability, and Replication requirements into a declarative policy. Rubrik provides Gold, Silver, and Bronze default SLA Domains that are ready for immediate use.
For example, an enterprise could choose to protect mission-critical workloads with the data backup, retention, replication, and archival policies specified in the Gold SLA Domain and protect web servers through the policies defined in the Bronze SLA Domain.
Custom SLA Domains can be quickly and easily created. Create custom SLA Domains to apply to groups of virtual machines. Use the custom SLA Domains to meet the data protection and retention requirements of different groups of virtual machines and applications.

Workload Protection
To protect a workload, select any vSphere object such as a folder, cluster, data center, or individual virtual machines running in the SDDC that you would like to protect. Click Manage Protection. From there, a list of available SLA Domains will be presented.

In the following example, the horizon-sql-01 virtual machine is assigned the Horizon Infrastructure SLA Domain.

File Search and Recovery
The Rubrik cluster provides file-level restore (FLR) of files and folders from any local snapshot, replica, or archival snapshot that was successfully indexed. The guest OS of the source virtual machine must have a current version of VMware Tools running to enable successful indexing. Restore a file from a data protection object through the Rubrik cluster web UI. Browse the virtual machine file system on the data protection object and select the file.
The Rubrik cluster processes the request and provides a link for download of the file or allows for an in-place restoration to the original workload.

For image-level recovery of VMware Cloud on AWS VMs, Rubrik offers the Export operation. When exporting a snapshot, the user selects the cluster or host and datastore they wish to recover to. Customers can also choose to remove NICs, preserve the MAC, and include or exclude tags when exporting a snapshot.

Features of the Backup Solution
QuestionsChoose from the list (all that apply)
Provide free text when there is no list
What backup repositories are supported? 
AWS S3, AWS EC2, AWS cross-region, on-premises object or NAS, Azure Blob, Google Cloud Storage, S3 Compliant Object
How is backup data transmitted to the repository? ENI
Describe the implementation of the Datamover componentMulti Proxy
Datamover Scale One per SDDC to Multiple per cluster 
 In large SDDCs (>500 VMs, >nTBs), your solution may scale data movers.  How do you scale?
Data mover scale is determined but the number of VMs and SLA domain policy
How are additional data movers provisioned?  Automatic
Describe additional functionalities of image-based backups File-based recovery
App consistency via VSS
App consistency via pre/postscript
Describe if in-guest backup options are available API
Describe security features 
Encryption at rest
Encryption in transit 

Immutable Filesystem
Describe network bandwidth/utilization control features Configurable bandwidth 
Describe the design of deduplication/compression features Source Side (VMC) 
Describe added-value services/features not listed above 
Ransomware detection and rollback via Polaris Radar
Data classification via Polaris Sonar

Hybrid centralized management: Describe how on-premises and VMC backups can be managed. Do you support single management console?

Unified management for VMC, on-prem vSphere, databases, filesystems,
and public cloud workloads via Rubrik’s Polaris platform


Hybrid restore/migration mode:
Describe how a VM can be restored from on-premises backup to VMC or from VMC to on-premises 
For example, let’s say that you have a hybrid configuration.  On-premise with local backup, in VMC with cloud backup.  What happens if an on-premise VM is migrated to VMC?  Will the backup solution automatically update the location of the repository or will the VM still be backed up on premise? 
Yes. vSphere VMs can be protected, replicated, and restored between Rubrik clusters protecting VMware Cloud on AWS SDDCs and those protecting traditional VMware environments. Upon restoration to the target site, Rubrik will automatically discover the newly protected VM and apply the appropriate policy locally.


VMware Cloud on Dell EMC

Solution Architecture
Depending on the scale of the Dimension environment and the infrastructure available at the Dimension site, either a Rubrik appliance, a virtual Rubrik cluster, or a Rubrik edge can be deployed.

For small Dimension environments, where no additional infrastructure is expected at the ROBO site, a virtual Rubrik edge is deployed in the Dimension environment. Rubrik Edge cannot be deployed as a standalone product and must be configured to replicate to a Rubrik cluster or archive to a replication location or both.

For larger Dimension environments, where additional infrastructure is expected at the datacenter, a Rubrik appliance is deployed in the data center. It has to be configured to protect Dimension similar to the configuration to protect VMC on AWS.

For more information on product deployment, interoperability, or compatibility with VMware products, see

Support Information
Troubleshooting (logs, procedures, and techniques)
  • The Rubrik cluster provides a built-in tunnel utility to permit Rubrik Support to make a secure remote connection to the Rubrik cluster. Rubrik Support uses the tunnel to examine the health of the Rubrik cluster and to troubleshoot and resolve issues.
  • Rubrik support bundles can be generated offline if a support tunnel cannot be established.
  • Relevant VMware vSphere logs can also be gathered to assist with troubleshooting.
  • Link to product documentation Product documentation is available to Rubrik customers through the support portal -
  • Link to the product downloads siteProduct patches are available to Rubrik customers through the downloads section of the support portal -
Support Process
  • The support team can be contacted using the support portal, email, or phone.
  • New support cases can be easily created using the support portal -
Support SLAs
  • Premium support: Rubrik provides around-the-clock support and customized support to deliver the best customer experience. Our highly experienced Support Engineers deliver proactive, real-time professional services 24/7 to increase your stability, efficiency, and effectiveness. For more information, see the Rubrik Premium support data sheet.
  • Proactive add-on support: Proactive health monitoring and a designated point of contact to call on top of your premium support. For more information, see Rubrik Proactive add-on support data sheet.
  • Enterprise add-on support: All of the benefits of Proactive add-on support plus your own dedicated senior support engineer with an in-depth knowledge of your environment. For more information, see Rubrik Enterprise add-on support data sheet.
For more information on Rubrik Cloud Data Management, see